Support Center > Search Results > SecureKnowledge Details
ATRG: CloudGuard Controller Technical Level
Solution

Table of Contents

  • Overview
  • Troubleshooting
  • Recommended Articles
Show All in this article

Overview

Show / Hide this section
The CloudGuard cloud security solution delivers advanced threat protection to private or public cloud infrastructures. It controls and manages the security in both the physical and virtual environments with one unified management solution.

With trusted APIs, the CloudGuard Controller connects to the Software-Defined Data Center (SDDC) and integrates the virtual cloud environment with Check Point Security Gateways. The CloudGuard Controller automatically updates the security policy on security logs. It updates GUI, API, and security logs with new and changed appliances, computers, devices, and addresses.

Refer to CloudGuard Controller R81.10 Administration Guide

High Level Components




  • Data Center - Virtual centralized repository, or a group of physical networked hosts, Virtual Machines, and datastores. They are collected in a group for secured remote storage, management, and distribution of data.
  • Scanner - Polls objects from the Data Center periodically. One scanner for each Data Center
  • Enforcement - Updates Data Center objects used in the security policy on the gateways.
  • Auto-update - Updates Data Center objects imported on the Management server.

Troubleshooting

Show / Hide this section

Confirming CloudGuard Controller is running

Check to see the status of the CloudGuard Controller:

Run: cloudguard

Cloud Guard Controller Advanced debugs


Debugging Connectivity issue to the Cloud provider:

  • Azure: curl_cli --verbose https://management.azure.com --cacert $CPDIR/conf/ca-bundle-public-cloud.crt

  • AWS: curl_cli --verbose https://ec2.<region>.amazonaws.com --cacert $CPDIR/conf/ca-bundle-public-cloud.crt

    For example:

    curl_cli --verbose https://ec2.eu-west-1.amazonaws.com --cacert $CPDIR/conf/ca-bundle-public-cloud.crt 

Debugging authentication and authorization to the Cloud provider 

R80.40 and higher:

AWS using Access and Secret keys

# AWS_API_DEBUG=true AWS_ACCESS_KEY=<access key> AWS_SECRET_KEY=<secret key> $FWDIR/Python/bin/python3 $VSECDIR/scripts/aws/vsec.py <region code>

AWS using the management server IAM role
# AWS_API_DEBUG=true AWS_KEY_FILE=IAM $FWDIR/Python/bin/python3 $VSECDIR/scripts/aws/vsec.py <region code>

AWS using STS Assume Role (R81.10 and higher)
# AWS_API_DEBUG=true AWS_ACCESS_KEY_ID=<access key> AWS_SECRET_ACCESS_KEY=<secret key> AWS_STS_ROLE=<full role arn> AWS_STS_SESSION=test $FWDIR/Python/bin/python3 $VSECDIR/scripts/aws/vsec.py <region>

GCP
# export GCP_CREDENTIALS=$(cat <PATH_TO_GCP_CREDENTIALS_JSON_FILE>); GCP_DEBUG=true $FWDIR/Python/bin/python3 $VSECDIR/scripts/google/vsec.py __ALL__ 

Azure
# AZURE_REST_DEBUG=true AZURE_CREDENTIALS='{"client_id": "<client id>","client_secret": "<client secret>","grant_type": "client_credentials","tenant": "<tenant>"}' $FWDIR/Python/bin/python3 $VSECDIR/scripts/azure/vsec.py

Note: The Azure Credentials can also be written in a file with the same format as above:
# AZURE_REST_DEBUG=true AZURE_CREDENTIALS=creds.json $FWDIR/Python/bin/python3 $VSECDIR/scripts/azure/vsec.py

R80.30 and below:

AWS using Access and Secret keys

# AWS_API_DEBUG=true AWS_ACCESS_KEY=<access key> AWS_SECRET_KEY=<secret key> $FWDIR/Python/bin/python $VSECDIR/scripts/aws/vsec.py <region code>

AWS using the management server IAM role 
# AWS_API_DEBUG=true AWS_KEY_FILE=IAM $FWDIR/Python/bin/python $VSECDIR/scripts/aws/vsec.py <region code>

GCP
# export GCP_CREDENTIALS=$(cat <PATH_TO_GCP_CREDENTIALS_JSON_FILE>); GCP_DEBUG=true python $VSECDIR/scripts/google/vsec.py __ALL__ 

Azure
# AZURE_REST_DEBUG=true AZURE_CREDENTIALS='{"client_id": "<client id>","client_secret": "<client secret>","grant_type": "client_credentials","tenant": "<tenant>"}' python $VSECDIR/scripts/azure/vsec.py

Note: The Azure Credentials can also be written in a file with the same format as above:
# AZURE_REST_DEBUG=true AZURE_CREDENTIALS=creds.json python $VSECDIR/scripts/azure/vsec.py

Debugging CPRID
  • CloudGuard Controller is using CPRID to update the Gateways. Check to see if cprid port 18208 is allowed between Security Management and gateway:
    # $CPDIR/bin/cprid_util -server <Gateway IP> getarch
  • How to remotely execute vsecUpdat.sh on a gateway
    cprid_util -server -timeout 120 -verbose rexec -rcmd bash /tmp/vsecUpdate.sh

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment